[WFLY-5745] Make sure that setting a run-as-principal or run-as-role …

…doesn't affect the caller's identity or roles
wildfly · Jan 26, 2016 · 08b5940 · 08b5940
1 parent fc41aa9
commit 08b5940
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 4 deletions.
diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java
@@ -122,6 +122,7 @@ public Principal run() {
     };
 
     private final SecurityDomain securityDomain;
+    private SecurityIdentity incomingRunAsIdentity;
 
     /**
      * Construct a new instance.
@@ -175,6 +176,7 @@ protected EJBComponent(final EJBComponentCreateService ejbComponentCreateService
         this.exceptionLoggingEnabled = ejbComponentCreateService.getExceptionLoggingEnabled();
 
         this.securityDomain = ejbComponentCreateService.getSecurityDomain();
+        this.incomingRunAsIdentity = null;
     }
 
     protected <T> T createViewInstanceProxy(final Class<T> viewInterface, final Map<Object, Object> contextData) {
@@ -259,14 +261,22 @@ public ApplicationExceptionDetails getApplicationException(Class<?> exceptionCla
 
     public Principal getCallerPrincipal() {
         if (isSecurityDomainKnown()) {
-            return securityDomain.getCurrentSecurityIdentity().getPrincipal();
+            return (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity().getPrincipal() : incomingRunAsIdentity.getPrincipal();
         } else if (WildFlySecurityManager.isChecking()) {
             return WildFlySecurityManager.doUnchecked(getCaller);
         } else {
             return this.serverSecurityManager.getCallerPrincipal();
         }
     }
 
+    public SecurityIdentity getIncomingRunAsIdentity() {
+        return incomingRunAsIdentity;
+    }
+
+    public void setIncomingRunAsIdentity(SecurityIdentity identity) {
+        this.incomingRunAsIdentity = identity;
+    }
+
     protected TransactionAttributeType getCurrentTransactionAttribute() {
 
         final InterceptorContext invocation = CurrentInvocationContext.get();
@@ -404,7 +414,7 @@ public boolean isBeanManagedTransaction() {
 
     public boolean isCallerInRole(final String roleName) throws IllegalStateException {
         if (isSecurityDomainKnown()) {
-            final SecurityIdentity identity = securityDomain.getCurrentSecurityIdentity();
+            final SecurityIdentity identity = (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity() : incomingRunAsIdentity;
             return "**".equals(roleName) ? ! (identity.getPrincipal() instanceof AnonymousPrincipal) : identity.getRoles("ejb", true).contains(roleName);
         } else if (WildFlySecurityManager.isChecking()) {
             return WildFlySecurityManager.doUnchecked(new PrivilegedAction<Boolean>() {

diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java b/ejb3/src/main/java/org/jboss/as/ejb3/security/RunAsPrincipalInterceptor.java
@@ -22,6 +22,9 @@
 
 package org.jboss.as.ejb3.security;
 
+import org.jboss.as.ee.component.Component;
+import org.jboss.as.ejb3.component.EJBComponent;
+import org.jboss.as.ejb3.logging.EjbLogger;
 import org.jboss.invocation.Interceptor;
 import org.jboss.invocation.InterceptorContext;
 import org.wildfly.common.Assert;
@@ -39,9 +42,23 @@ public RunAsPrincipalInterceptor(final String runAsPrincipal) {
     }
 
     public Object processInvocation(final InterceptorContext context) throws Exception {
+        final Component component = context.getPrivateData(Component.class);
+        if (component instanceof EJBComponent == false) {
+            throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
+        }
+        final EJBComponent ejbComponent = (EJBComponent) component;
+
+        // Set the incomingRunAsIdentity before switching users
         final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
         Assert.checkNotNullParam("securityDomain", securityDomain);
-        final SecurityIdentity newIdentity = securityDomain.getCurrentSecurityIdentity().createRunAsIdentity(runAsPrincipal);
-        return newIdentity.runAs(context);
+        final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
+        final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity();
+        try {
+            final SecurityIdentity newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal);
+            ejbComponent.setIncomingRunAsIdentity(currentIdentity);
+            return newIdentity.runAs(context);
+        } finally {
+            ejbComponent.setIncomingRunAsIdentity(oldIncomingRunAsIdentity);
+        }
     }
 }